About sabi4evr_com

If some one else has to follow the thread later in future, the below are the steps I have done. 1. Downgraded the new firewall to the same version as the current firewall version 2. As the device is new, you can either configure your management port to reach the internet and then download the images or download them manually from the palo alto website to upload the base image files and then the require patch file 3.The downgrade process is so simple as the upgrade process, just follow the GUI to install the image files 4. Restore the latest configuration from current unit to new one 5. Connect the cables 1 by 1 from old to new unit 6. Reboot the device and make sure its up and running But after the final restart it was noticed that the FW device is not coming online. The device is UP, can login via SSH but the login pages or the network was not up and running. No blinks for status lights or interface lights. Looking at the services, it was noticed that some cdb service was stopped. Also the auto commit was getting failed. Came to realize that this is a known issue when we are downgrading the devices from a higher to lower version. The article explains the technical reason, https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000oMArCAM&lang=en_US%E2%80%A9 I was able to get the device online by running the below command, which worked in my scenario. Debug management-server client disable cord while committing you will get some error, mention commit failed. I believe you have to go into the configure mode and then do a force commit. Once the commit is done, the interfaces should come up and so is network. As soon as its live update the dynamic and other updates. But this wont fix the issue, restarting the device had the same issue. The issue was properly fixed when we upgraded the firewall version from 9.0.10 to 9.1.12-h3 I believe these issues are common while downgrading and can be fixed while upgrading the PAN OS.     ... View more

@aleksandar.astardzhiev Thanks dear. I did the migration and was busy with some other tasks hence the later reply. Just curious to know about this though. " My suggestion was to export the config, convert it for 9.1 and load it to the new device. You don't need to upgrade the old one.  " how to convert the configuration from 1 version to another? Any tool?   ... View more

@aleksandar.astardzhiev Hi there.   Why don't you want to start using the new device with 9.1? >> I have the old unit running with full configurations on version 9.0.10. So, if want to export and import all the configurations from 1 device to another both versions should match.   In my humble opinion it is better to put little more effor now by migrating the existing config to 9.1.  >> Very true, i am just worried about the support. The support is expired for this unit. So, I am very sure for some reasons the device didnt booted or crashed. They wont support. It happened though. 1 of my old unit was crashed and couldn't recover, but yes the support was active and helped out at that time.   My plan was to downgrade and restore the backup and then upgrade to the latest stable version.    ... View more

Hi @Mudhireddy please share the download link or guide me how to download the same. ... View more

Hi @kiwi  Thanks for helping out. I got the idea now. Tried but didnt worked out the way it should.   But so far I am able to manage it far better than before, thanks to the solutions provided.   I have noticed that you are using PA VM for testing purpose. I have only a production units here, so bit afraid to do experiments on the same.   How can I download such a VM? Does it needs a license?   Thanks   ... View more

Hi @kiwi    Thanks for guiding me.   I am slowly learning the methods. Yes, it does work and I am sure this can help me a lot. The new list I received is to block 250 IPs.  So, here is what I did. Copied the format to an excel and cloned the 250 rows and changed the IPs as required. Saved it as a .csv and pasted them in a notepad.   It was noticed that format was a little odd and I did some formatting to the notepad like adjusting white spaces. Tried with 1 line and it worked.   But when I tried multiple lines the CLI reported wrong formatting. But the formatting in notepad looks fine though.   The below was the syntax error.   admin@PA-3020# set address ADGOVCERT2021107-14 <name> <name> <Enter> Finish input admin@PA-3020# set address ADGOVCERT2021107-14ip-netmask 185.220.101.142/32   There was a missing 'space' between the 'description' and 'ip net mask'.   Is there any easy way to fix the formatting issue?   Other wise I have to copy and paste line by line, 250 lines in total. ... View more

Hi @kiwi  That looks cool. I will give it a try. May I know if its possible we can add all these newly imported IPs to an address group? ie; I already have a custom address group, where I have a list of IPs whom should be blocked. So, how can we update the existing list by adding new IPs? Possible via CLI?  ... View more

Yes, it happened. The primary PA FW was crashed and we couldn't recover. We had a huge network outage, it all happened with a faulty network switch which continuously sends the topology change packets to the entire network resulting in a network loop. At some point the FW was not responding, did a reboot after the backup. It never came back, the status lights were off except the power light. Even nothing from the console port as well, no messages or boot information showed up.   Luckily we had the PA OSS device. This is what we did.   1. Raised a case with the support at the highest priority 2. We powered on the OSS device and confirmed the PAN OS version 3. There was a version difference between these 2 devices 4. Downloaded the base PAN OS and the updates to match the version of PAN OSS to the live unit 5. With the help of mgmt port, updated the OS of OSS unit 6. Restored latest backup to the OSS unit 7. We did received some errors during the restoration, I believe those were some Firewall security rules, which was easy to troubleshoot 8. The support guys came into the scenario 9. For some reason, the OSS unit was not showing in device list. May be it wasn't added during the time of purchase 10. They added the unit with the SN # information 9. Downloaded the latest AV, URL, GP, Clientless VPN and other licenses from the portal and restored to the OSS unit 10. Removed the existing license information of faulty unit from the Portal 11. Assigned the license to the OSS unit and renamed the Unit to Production one 12. All services were restored 13. RMA was issued, but it took 2 weeks or so 14. The core team was unable to analyze the firewall as it was completely given up   The overall process might have taken 2-3 hours. As we were doing this for the first time on working hours it was a difficult one. Having the support engineer on the right time saved us a big time or else we could have spend more hours figuring out on how to transfer the licenses.  ... View more

Did you give a try in downloading and import the Threat license from the palo alto customer portal? If not, just give a try. Try the below methods to download the same. 1. login to customer support 2. Go to assets 3. Select devices 4. Download the Threat Prevention License I think the OSS should also have all the latest dynamic updates as well.   ... View more

I am not sure on the below. I have never tried to import the device state to the OSS unit as I was afraid that having the same configuration on 2 devices might have some impact on the network. I don't have a test network as well, so I didn't tried. So, far I am just backing up all the device backups on a monthly basis. What I know is that during that a device failure, we will need the PA support assistance in transferring the current PA licenses to the OSS unit. ... View more

Dear Abdul,    Am I mentioning the below in the configuration steps correctly? This is based on my idea so far. Please correct me if I am wrong.   STAGE 1 1. create agg grp 2. assign interface name (ae1) 3. interface type - Layer 3 4. config- virtual router > default security zone > Internal Zone 5. IPv4 - assign the static IP for this group 6. enable LACP 7. maximum interfaces? keep it 2? as only 2 interfaces will be used for this purpose? 8. Advanced - Other info > Management Profile > Select the management profile STAGE 2 1.Configure a new interface 2. Select aggregate group - ae1 3. leave the advanced settings to the default options ... View more

Dear Abdul,   Thanks for the update. Both switches are in stack. For my case can you please guide me through step by step for this configuration. Currently port #1 is configured and is connected with Cisco core switch. This port interface type is L3.   Do i need to create a similar interface configuration on port 3 for the second switch? And then proceed to the 'Add Aggregate Group'?   ... View more